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Abstract 



This article concerns itself with the triangular permutation group, induced 
by triangular polynomial maps over ¥ p . The aim of this article is twofold: on 
the one hand, we give an alternative to Fractions on F", namely Z-actions on 
Fp and how to describe them as what we call "Z-flows" . On the other hand, 
we describe how the triangular permutation group can be used in applications, 
. in particular we give a cryptographic application for session-key generation. 

<^> The described system has a certain degree of information theoretic security. 

We compute its efficiency and storage size. 

To make this work, we give explicit criteria for a triangular permutation 
map to have only one orbit, which we call "maximal orbit maps" . We describe 
the conjugacy classes of maximal orbit maps, and show how one can conjugate 
them even further to the map z — > z + 1 on Z/p rt Z. 

^ ■ 1 Introduction 

When generalizing the concept of algebraic additive group actions on k n where k 
is of characteristic zero, to fields of characteristic p, one tends to (obviously) go 
to (k, +) actions on k n . These then automatically have order p. This makes the 
generalization, though seemingly natural in some way, restrictive. For example, a 
common class of additive group actions is those induced by strictly triangular poly- 
nomial maps: maps of the form (Xi + g±, . . . , X n + g n ) where g^ G k[X ly . . . , 
In characteristic zero all these maps can be embedded into a unique algebraic addi- 
tive group action tp : (k,+) x k n — > k n such that <p(l,Xi, . . . ,X n ) is exactly this 
map: analytically speaking, they are the "time one-maps of a (k,+) flow on k n " . 
However, in characteristic p they do not always have order p, so they cannot be part 
of a (fc+)-action. 
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To give an example, if F — (x + y + z,y + z, z) in characteristic zero, then the 
additive group action becomes 



In particular, one can find a triangular polynomial map Ft having coefficients in 
k[t] such that F m , being the evaluation of Ft at T — m, equals F m for each m G Z. 
One of the nice things of strictly triangular polynomial maps in characteristic zero is 
indeed this property that it is easy to compute powers of the map, i.e if F is a strictly 
triangular map, then it is easy to compute F m (v) for any given n G N, v G k n : such 
a formula F T explains this. If one would like to consider (x + y + z, y + z, z) as a 
map Fp — > Fp, however, it is not directly possible to give such an explicit formula, 
as one cannot divide by 2! This article shows how to solve this problem for the case 
k = F p , by studying (Z, +)-actions in stead of (k, +) actions. Regardless of these 
actions, we explain how to quickly compute F m (v) for this case. 

Being able to compute F m (v) quickly can be useful: in applications it can be 
useful to have a set of maps <p m which commute: an example is Diffie-Hellmann key 
exchange (see section [6]). One takes <p m = F m . We explain how to do this, compute 
its storage size and computational difficulty, and explain why it has a certain degree 
of security. 

All of the theorems in section 2 are motivated by the application in section 5 and 
6, while those of section 4 are inspired by it. Section 3 is a preparation for section 
4. 



(t,(x,y,z)) — y (x + ty + -(t 2 + t)z,y + tz,z). 
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2 Triangular polynomial maps 

2.1 The triangular permutation group B n (¥ p ) 

Below, write A n := F p [A"i, . . . ,X n ], and write i n for the ideal in A n generated by 
the Xf — Xi. (Writing i, A if n is clear.) Write Xi := X{ + i, and write R n : = 
F p [xi, . . . ,x n ] = A n /\ n . In this article, a polynomial map is an element F G (A n ) n . 
Each F induces a map F™ — > F™, i.e. we have a map n : (A n ) n — > Hom(F™, F"). 
Then i n (please read as subset of A n , not i n C A !) is the kernel of 7r. Hence, we may 
see tt(F) as an element of (R n ) n , and since ir is surjective, these elements coincide 
one to one with the elements of Hom(F™, F"). So it means that we can write maps 
like (x\ + x 2 , x 2 + 1 +xi) G Hom(F™, F"). The set of elements in Hom(F™, F") which 
are isomorphisms we denote, as usual, by Perm(Fp). 

We define a polynomial map to be triangular if F = . . . , F n ) where -F, G 
Ai = ¥ p [Xi, X 2 , . . . , XS Similarly, F is called strictly triangular if F~ Xi G A-i = 
Fp[Xi, . . . ,Xi_i\. We state that an element in Hom(Fp,F") is strictly triangular if 
it is the image of a strictly triangular element in A™. 

Polynomial maps can be composed, yielding another polynomial map, and hence 
we have an associative operation o on (A n ) n . The polynomial map 7 := (Xi, . . . , X n ) 
is an identity with respect to this operation, and a polynomial map is said to be 
invertible if it has a polynomial inverse. The polynomial maps which are invertible 
form a group, denoted GA n (F p ). Thus, vr(GA n (F p )) C Perm(F") (see \HR CH Q2] 
on the image of this group). The set of strictly triangular polynomial maps forms 
a subgroup (see [6] section 3.6) denoted by B°(F P ) (see [2] for the reasoning behind 
the naming of these groups). One can also define the groups B n _ m (A m ) C B n (F p ) 
and B° n _ m (A m ) C B°(F P ). 

In this article we will focus on the group 7r(B°(F p )), for which we introduce the 

1 Note that often the definition is to let Fi G ¥ p [Xi, . . . ,X n ] (and in fact we are used to it 
ourselves) but for this article it turned out to be more convenient to choose the definition in the 
text; some induction proofs then have easier indexes). 
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shorthand notation B n (¥ p ). We also have the groups^ 

B n . m (R m ) < B n i¥ p ). 

Elements a G B n (¥ p ) thus have a unique representation of the form 

a = (xi + gi,x 2 + # 2 0i), ...,x n + g n (xi, x n )) 

where we assume that deg Xj (gj) < p — 1 for each 1 < i, j < n. If a G B n - m (R m ), 
then it is like above, only g$ — if % < m. We will write e = 7r(J) G Perm(Fp). We 
start with a few generalities on elements of B n : 

Lemma 2.1. Let a G B n (¥ p ) where q = p m . Then 

i B n _ m {R m ) <B n {¥ p ). 

ii B n - m (R m )/B n - m - k (R m+k ) = B k (R m ). In particular, i3 n _ m (i? m )/i3 n _ m _i(i? m+ i) = 
Bi(R m ), which is isomorphic with the group < R m , + >. 

Hi Ifcre B r ^ m (R m ), then a p G B n _ m _i{R m+1 ) . 

iv If a G B n (¥ p ), then o~ pn = e. 

v Any cycle in o G B n (¥ p ) has length p % for some i. 

vi #£> n _ m (i? m ) = p\ ) . In particular, B n (¥ p ) is a p-sylow subgroup o/Perm(F"). 

vii If gcd(m,p) = 1, then for a G B n (¥ p ) there exists r G B n (¥ p ) such that 
T rn = a. 

Proof, (i) If cr G B n (¥ p ), write a m G B m (¥ p ) for the first m coordinates. If one 
composes elements a, r G B n (¥ p ), then one can easily check that (<rr) m = a m r m . 
Now cr g B n {¥ p ) satisfies a G B n - m (R m ) if and only if o~ m = e G B n - m (R m ) . Thus, 
if a G B n - m (R m ) and r G <B n (F p ), then (r^Vr)™ = r~ 1 er m = e G B n - m (R m ), hence 
B n - m (R m ) is closed under conjugation by elements of £> n (F p ) and hence normal. 

A proof sketch to save space: modding out B n _ m _k(Rm+k) removes the last 
n — m — k coordinates and leaves the first m + k coordinates intact. To understand 
Bi(R) for a ring R, note that elements are of the form (xi + r) and that (x± +r)(xi + 
s) = (xi + r + s). 

(Hi) Any element in < R m , + > has order p, hence if a G B n _ m (R m ) then a + 

2 Thcre's a small formal issue here: if cr G Bk(R) then cr = (xi + 31, . . . ,a; n + g„) where 
,g t 6 R[xi, . . . , Xi-i], but wc actually mean a E B n - m (R m ) then a = {x 1+m + gi +m , ■ ■ ■ ,x n + g n ) 
where g i+m £ R m [x 1+m , . . . , x i+m -i], and not even that: we identify (x 1+m + gi+ m , ■ ■ ■ , %n + 9n) 
with (xi, X2, • ■ • , x m , xi+ m + f/i+m, ■ ■ ■ , x n +g n ). However, these formal things arc easily fixed, and 
we do not want to interrupt the flow of the article with these formalities: all elements are from the 
group £>„(F p ) and the groups mentioned are all subgroups of this group. 
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B n - m -i(R m+ i) G B n - m (R m )/B n - m -i(R m+1 ) has order p; hence a p G i3 n _ m _i(i? m+ i). 

(iv) Applying (hi) n times, yields that if a G B n {¥ p ) = B n (Ro), then cr p ™ G Bo(R n ) 
which is the trivial group. 

(v) follows easily from (iv). 

(vi) : The number of coefficients of g^ is p 1 " 1 . Hence, an element in B n _ m (R m ) is 
determined by p m + p m+1 + . . . + p n = p' mP - — —pi coefficients. The stated formula 
follows since each coefficient can take p values. 

(vii) Since (m,p n ) = 1 there exist a,b G Z such that am + bp n = 1. Pick r := cr a , 
then r m = a am = a. □ 

In respect to lemma [2TT1 part (vi) we mention the papers of Kaluznin from 1945 
and 1947 [7J Ej which were motivated by finding the p-sylow subgroups of Perm(iV) 
where N G N*. His description of the p-sylow groups of Perm(p n ) is exactly the 
triangular permutation group. 

2.2 Maximal orbit maps 

Definition 2.2. We define a G B n (¥ p ) being of maximal orbit if a consists of one 
permutation cycle of length p n . 

The reason that we do not generalize the results of this article to other finite 
fields (i.e. finite extensions of F p ) is that there exist no elements of maximal orbit 
in £> n (F p m) if m > 2. (One can prove lemma I2TT1 part (i) for ¥ p m for all m, so the 
longest possible orbit is p n in stead of p nm .) 

Theorem 2.3. o = (x\ + g\, . . . ,x n + g n ) is of maximal orbit if and only if the 
coefficient C{ of 'x^ -1 ■ • -x v ~_\ in gi is nonzero for each 1 < i < n. Furthermore, if a 
is of maximal orbit, then 

a pn ~\a, a) = (a, a+ (-l)™^ 1 ^) 
for each a G F p , a G F™" 1 . 

Proof. We will prove the result by induction to n. If n — 1 then a = (x\ + gi), 
and this is a cycle of length p if and only if g\ ^ 0. Suppose the theorem is proven 
for n — 1. Write o = (a,o~ n ) where a can be seen as an element of £> n _i(F p ). Let 
a = (a, a n ) G F™ where a n G ¥ p ,a G F™^ 1 . By the induction assumption, a 
permutes F™ _1 with a p n ~ l cycle if and only if the coefficients are as described in 
the theorem. In particular, if a does not permute F™" 1 then let (3 G F^ 7--1 such that 

iterating a on a never reaches some /3. Then iterating a on a will never reach (/3, a n ) 
and a is not of maximal order. So let us assume that a is of maximal order, and let 
us try to determine whether the coefficient of (£2X3 • ■ •^n) p_1 in o~ n determines if a 
is of maximal order. 

Iterating a to at cycles through all elements 

0!q, Cti, • • • , Oi p n— i_i 
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(where «o := a) of F™ _1 , and a pn (a) = a. Hence, a l (a) = (<Sj, q) for some q G F p . 
One sees that a(aci,Ci) = (a, q + g n (&i)) and thus we have that q+i = q + g n (oii), 
yielding the formula 

i-1 

Ci : = a + y~]gn(6tj)- 

3=0 

We apply the above formula for i = p™" 1 , where we need to compute 

p«-i_i 

3=0 /9GFp l_1 

We can split the sum for each monomial appearing in g n . By the below lemma [231 we 
see that only the term (xix% ■ ■ •x n _i) p ~ 1 is of importance. Hence, if the coefficient 
of this term in g n is zero, then a p " (a) = a and a is not of maximal order, and if 
the coefficent is a G F*, then 

a p " 1 (a, a n ) = (a, a n + (— \) n ~ l a) 
and hence a is of maximal order. □ 

Lemma 2.4. Let M(x\, . . . ,x n ) = x°^x^ ■ ■ ■ x°£ where < a,j < p — 1 for each 
1 < i < n. Then J2 a & n M(a) = unless a x = a 2 = . . . = a n = p — 1, when it is 
(-If. 

Proof. We proceed by induction to n. For n = 1 we have a standard exercise on 
finite fields: we get sums of ci-th powers of the elements in F p , which we call S. Let 
a be a generator of F;. Then S = Y^Zli^Y- Let b = a d . Then S = Y^ZlV- If 
d = p — 1, then 6=1 and S = p — 1 = — 1. If d < p — 1, then 6^1. Then 
S(b - 1) = If - 1 = 0. Since b - 1 ^ 0, S = 0. 

Now assume the lemma has been proven for n — 1. Define M Then 

= E beF ^ ai (E 5eFrl M(«)) 

(induction) = S-J2 be¥p b ai 

where 5 = unless a 2 = . . . = a n — p — 1, when it is (— l) n_1 , by induction. Now 
^2beF P b ai = unless when a\ = p — 1, when it is -1. Thus the lemma is proven. □ 

So, the above theorem 12.31 gives a clear citerion in the coefficients appearing in a 
for when an element in B n (¥ p ) is of maximal order. Now, note that lemma I2T1 part 
(vi) actually tells one that it is possible to find an "m-th root" of any a G B n (F p ) 
when (m,p) = 1. For m = p, however, it will not be always possible. (In particular, 
if a is of maximal orbit, it is not possible.) This induces a few questions we were 
unable to solve satisfactory like theorem 12.31 does: 
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Question 2.5. 

(1) Can one recognise of the coefficients in a G £> n (F p ) if a is a p-th power of another 
map in B n {¥ p )l In particular, what is B n -i(Ri) / G where G := {cr p \ a G B n (W p )}. 

(2) Can one recognise of the coefficients in a G B n (F p ) if a is a p l -th power of a map 
of maximal orbit? 

(Note that G in (1) is a fully invariant subgroup of £> n (F p ), and in particular 
normal, see [H] page 28.) 

There are some necessary requirements, like in (1) a must be in B n -\{R\) and 
(consequently) in (2) a G B n _j(i2j), but these are by no means sufficient: (x±, x 2 +xx) 
is not a p-th power while (x±, x 2 + 1) is. 

2.3 Classification of maximal order maps 

The following few lemmas are meant to be tools to reduce the number of coefficients 
necessary to describe a. First, we will consider the issue that if two maps are 
powers of each other, then they are interchangeable in some semse (in particular 
in the application). After that we will find the conjugacy classes of maximal order 
maps. 

Definition 2.6. We say that two permutations c, d G Perm(iV) where N G N* are 
equivalent if < c >=< d >, i.e. there exist a, b G N* such that c a = d, (c') b = c. 

Definition 2.7. a = (x\ + gi, . . . , x n + g n ) G B n (¥ p ) is said to be on standard form 
if <t(0, 0, . . . , 0) = (0, 0, . . . , 0, 1), i.e. the constant terms of g2, ■ ■ ■ , g n are zero and 
0i = l- 

Lemma 2.8. If a G B n {¥ p ) of maximal order, then there is exactly one a 1 G B n (¥ p ) 
on standard form, such that a, a' are equivalent. In other words, standard form 
maximal order maps form a representant system of the maximal order maps modulo 
equivalence. 

Proof. Write a = [x\ + g±, a). Since a is of maximal order, g\ ^ 0. Now let a G N 
be an inverse of g\ modulo p. Then a a = (x± + ag±, . . .) = (a;i + 1, . . .) and by lemma 
12.11 part (vii), a a is equivalent to a. So we can assume that g\ — 1 by replacing a 
by a a . 

Now, starting with O := (0, 0, . . . , 0) and iterating a, then we see that a m (0) = 
(m mod/?,...). So, this first coordinate equals 1 if and only if m mod p = 1 
which means that m = ap + 1 for some a G N. Since a is of maximal order, the 
sequence O, cr(O), cr 2 (0), . . . , cr pn_1 (0) lists all elements of F™. The sublist of vectors 
starting with 1 is a(0), a p+1 (0), a 2p+1 (0), . . . , a p "~ p+1 (0). One of these elements 
equals (0, 0, . . . , 0, 1), i.e. there exists exactly one a G N such that a ap+l {0) = 
(0, 0, ... , 0, 1). By lemma [27T1 (vii) , a ap+1 is equivalent to a, and satisfies the above 
requirement. (Uniqueness is automatic, as for a cycle of length p n in Perm(F") there 
is only one power of that cycle sending O to (0, 0, . . . , 0, 1). ) □ 
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We will now focus on finding representants for the conjugacy classes of maximal 
order maps. 

Definition 2.9. Write x a = 1 ■ ■ for a G F™. Define 

R~ := V 

a6F£,a^(p— l,...,p— 1) 

the subvector space of R n without the monomial (xi ■ ■ ■ x n ) p ~ l . 

If a G B n (F p ), define a* : R n — > R n by a*(f) = f(o). We denote by e* the identity 

map on R n . 

Lemma 2.10. If a G B n (F p ) is of maximal orbit, then ker(a* — e*) = F p . (The 
converse is also true: if the kernel is ¥ p , then a is of maximal orbit.) 

Proof. Let / G ker(a* - e*). Then = a*(f) - e*(f) = f(a) - f so / = f(a), and 
thus / = /((T 4 ) for all i. Let a G F™, then f\a) = f{a l {a)) for each i. Since a is of 
maximal orbit, we thus get that /(a) = f(f3) for each (3 G F™, in other words, / is 
a constant function. Notice that since / G R n this indeed means / = 0. 
The converse goes similarly: if a is not of maximal orbit, then / only needs to be 
constant on the orbits of a. □ 

Corollary 2.11. If a G <B n (F p ), then Im(er* — e*) C R~. If a is of maximal orbit, 
then we even have equality Im(cr* — e*) = R~. 

Proof. Note that a*(R~) C R~. A computation shows that (a*—e*)((xi ■ ■ ■ in)''" 1 ) G 
1R~. Because of linearity of cr* — e* we thus have that (a* — e*)R n = (a* — 
e*)(¥ p ( Xl ■ ■ -x n y- 1 + R-) C ¥ p (a* - e*)((x 1 • • -x^" 1 ) + (a* - e*)(i^) C R~. 

The second part follows from lemma 12.101 the kernel has dimension 1 , so the 
image must have codimension 1. □ 

Proposition 2.12. Let a, r G £>„(F p ) of maximal orbit, i.e. 

<T=(Xi+\i, X 2 + X 2 X P 1 ~ 1 +g 2 , X3 + A 3 (xiX 2 ) P ~ 1 +fi'3, • • • , x n + X n (xi - ■ -XnY^+gn), 

t = (x 1 + m, x 2 + /i 2 3a _1 + ^2, 2:3 + /i 3 (a;i^2) p " 1 + ^3, • ■ • , x n + /x„(xi • • • x n ) p_1 + /l n ), 

where Aj,/ij G F*, and ^j, /ij G T/ien i/iere exists if G i3 n (F p ) snc/i f/iat 

(f^cnp = t if and only if Xi = fa for all 1 < i < n. If tp exists, then one may 
additionally assume if to be on standard form (see definition 2.1), and then is 
unique. 

The above proposition hence shows that Ai, . . . , A n is a defining invariant for a. 

Proof. By induction to n. The case n = 1 is obvious (one picks ip = (x\ + 1), which 
is on standard form). Write cr = (a,x n + g n ),T = (f,x n + h n ). The induction 
assumption means we can find a unique standard form map (p in n — 1 variables 



such that (p l a(p = r if and only if Ai = /ii,...,A„_i = /z n -i- We will extend 
ip := (0, x n )4> where := (x ly x n _i, x n + /„). Write (<p, x n )~ 1 a-(^, x„) = (f , x n + 
A n (xi • • ■ x n ) p ~ l + fc n ) where k n G Now a computation reveals (j)~ x (f,x n + 

K{xi ■ ■ ■ x n ) p ~ l + k n )4> = {f,x n + \n{x x ---x n ) p - 1 + k n + (e* - f *)(/„)). We thus 
are (only) able to change A n ,(xi • • • x„,) p_1 + k n by elements of as corollary 12. Ill 
shows, meaning that r and a are only conjugate if A n = /i n . Let us assume the 
latter, and pick /„ so that (e* — f *)(/„,) = fc„. If we assume /„ to have constant part 
zero then f n is unique, tp is now on normal form by construction, and the above 
shows that it is unique. □ 

Definition 2.13. Define 5i G Ri as the polynomial such that Si(p— 1, . . . ,p — 1) = 1 

and 5(a) = for all other a G (And Sq = 1.) Then define 

A := (xi + S , x 2 + S u . . . , x n + 5 re _i). 

Theorem 2.14. Let a G B n (¥ p ) of maximal orbit. Then there exist a unique ip G 
B n (¥ p ) on standard form, and a diagonal linear map D, such that D~ l (p~ l aipD = A. 

Proof. Write \ii for the coefficient of (x\ ■ ■ •Xj_i) p ~ 1 in (/ii = 1). By proposition 
12.121 we see that a is equivalent to (x\ + \\,xi + A2&L, • • • ,x n + X n 5 n -i) for some 
Aj G F*. Write D := (A1X1, . . . , \ n x n ). By proposition 12.121 there exists a unique 
<f G B n (¥ p ) on standard form such that ip^aip = (x\ + Ai,x 2 + ^^(D -1 ), x 3 + 
A 3 5 2 (-D _1 ), • • • , x n + A n 5 n _i(-D~ 1 )). Now a computation reveals that D~ 1 ip^ 1 aipD = 
A. □ 

The above theorem thus enables us to see all maximal orbit maps as a unique 
conjugate of one map, namely A. This map is, in some sense, very simple, as the 
following remark shows: 

Remark 2.15. Define the bijection ( : Z/p n Z — y (F p ) n by ((a + a±p + . . . + 
a n _ip n_1 ) = (a , . . . , a n _i) mod p where < < p — 1. Then C^C -1 is the map 
m — > m + 1. 

The following lemma is specifically necessary for the application in section 5, in 
order to prove a certain degree of security. 

Lemma 2.16. Let a G B n (¥ p ) be of maximal orbit, and let ai G F" for 1 < % < m+1 
and fa := cr(aj). Let 

Q := {r G £> n (F p ) | r(«j) = 1 < % < m, r of maximal orbit}. 

Then for any j G N, j < log p (m), reO, Tj(a m ) is fixed, while for any j > log p (m) ; 
the values Tj(a) where r runs over Q are uniformly distributed on ¥ p . 
Hence, when knowing m pairs (ai, cr(ai)) of a specific a as above, then given another 
value a m+ i, one can predict the first [log p (m)] coordinates of a(a m+ i) with 100% 
certainty, while the other coordinates are fully unknown. 
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Proof. Let a = (fx, . . . , f n ) like stated. Note that fj = Xj + gj(x\, . . . , and that 
gfj has pp~ x coefficients (of which one, the coefficient of (x±X2 ■ ■ ■ x ? _i) p ~ 1 , is nonzero, 
a fact we will ignore). What in fact is given, is for each < j < n — la list of m pairs 
(cKj, g n -j(ai)). Each such pair gives one linear equation on the coefficients of g n -j- 
If j < log (m), then p> < m, and we have an overdetermined set of linear equations, 
so g n _j is fixed. If j > log p (m), then p> > m, and we have an underdetermined set 
of linear equations on the coefficients of g n -j- It is now standard to see that g n _j can 
still be any value, and the possible outcomes of g n -j can appear with equal chance. 
(The set of degree p polynomials in one variable where p — 1 values are fixed, is 
exactly of size p: for each value of ¥ p there's one polynomial. ) □ 

3 Generalities on polynomial maps Z — y ¥ p 

The below definitions we took from j3] . These concepts first appeared in [13] . 

Definition 3.1. Let A, B C Q. Then define 

lnt(A,B) := {/ G Q[T] \ f(A) C B}. 

In this article, A will be Z( p ) or Z, and B = Z. In particular, we abbreviate 
Int(Z) = Int(Z, Z). Note that Int(A, B) is a subring of Q[T]. 

The following is a well-known lemma: 

Lemma 3.2. 

Int(Z) = 0Z| 

Proof, (sketch) Let V be the set of polynomials of degree d and less having coeffi- 
cients in Q. The polynomials (q), (^), . . . , form a Q-basis for V. This means 
that / = Eto^(T) for some Oi.e Q- Let v = (/(0), /(l), . . . , /(d)) G Z d+1 , 
a = (a , ai, . . . , ad). Define A := ((*)) of size (d+ 1) X (d+ 1). Then v = Aa where 
A has coefficients in Z, is of upper triangular form, and has only l's on the diagonal. 
Hence, A is invertible with an inverse having coefficients in Z. Thus, a = A~ x v is a 
vector in Z d+1 proving the lemma. □ 

Corollary 3.3. 

^ fr\ r/T\ 

% G N 









0- 


[(<) 


l G N 









int(z,z (p) ) = 0z w r ) = z w [r J 



If / G Z[( T ) | m G N] then it makes sense to consider the map Z — > ¥ p given 
by n — > f(n) mod p. Also, if r G Z( p ), then it makes sense to write down r mod p 
in the following way: if r = | where a G Z, 6 G Z\pZ then r mod p = (a mod p) (6 
mod p)" 1 . 
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Definition 3.4. Define r : Int(Z, Zu,)) — > Hom(Z, F p ) by r(/)(n) = f(n) mod p 
for any / G Int(Z, Z( p )). 

We say that /, g G Int(Z, Z( p )) are equivalent under r if r(/) = r(^). 

Remark 3.5. If / G Int(Z, Z( p )) then there is some g G Int(Z) which is equivalent 
under r. 

Definition 3.6. Define Qi :=(;). 

Proposition 3.7. Let f G Int(Z, Z( p )) be of degree d. Then f is equivalent to some 
g G Z[Qo, Qi, . . . , Q r ] where r = [log p (cZ)] . Furthermore, g is at most of degree p — 1 
in each Qi. 

The above proposition is based on Lucas' Theorem [9]: 

Lucas' Theorem: Let < ctj < p, < fa < p where a i; G N. Then 

fa + «ip + «2P 2 + • • • + a n p n \ _ ( a \ ( «A / a 2 \ ( a n \ 
V A> + (3 lP + /3 2P 2 + ... + Pn pn)=t> \pj \pj \pj ■ ■ ■ {f3 n J ■ 

Proof, (of proposition 13.71 ) First, note that the polynomial Qi(T) = (^) as- 
signs to a + a±p + . . . + dip 1 + . . . + a n p n the value a iy using Lucas' Theorem. 
Let / be as in the proposition. By corollary 13.31 / is a Z( p )-linear combination 
of Co) > CD > • • • > (d) ' wn i cn means by remark 13.51 that / is equivalent to a Z-linear 
combination of (o) > CD > • • • > (d) ■ Now if d = a + aip + . . . + a n p n we use Lucas' 
Theorem again to derive the following: 

Q =(2)©® &) 

_ (Q(A fQA (Q 2 \ 

Veto ' ' / \Ot n /' 

Note that (^) is a polynomial in Q 0; • • • > <5n where the highest coefficient in the 
Qi is Qo ^? 1 * * " Qn n - Hence, since / is equivalent to a Z-linear combination of 
(o) ' (I) ' • • • ' (d) ' the highest coefficient of Q , . . . , Q n -i is possibly p — 1, and the 
highest coefficient of Q n is a n . □ 

4 Exponents of triangular maps over ¥ p 
4.1 Some more generalities 

Definition 4.1. Define B n := Z[<5o, Qi, • • • , Qn-x] where the Qi are independent 
variables, and B := UB n . We also define S n := B n /j n where j n := (Q\ — Qi \ 1 < 
i < n), and j := Uj n and 5 := US n = B/j . We will abuse notation, and write U Q" 
when we might mean u Qi + j" . At some point we will denote Qo by t. 
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In section [3] we already introduced the map r : B — > Hom(Z, F p ) defined 
by r(Qi)(a) = (") mod p if a G Z. (In fact, we can extend the definition to 
r : Z( p )[Qo, Qi, • • • , Qn-x] — * Hom(Z, F p ), but proposition 13.71 allows us to avoid 
this extension for now.) However, we will extend r naturally to 

t ■ B[Xi, . . . , X n ] — ► Hom(Z x F™, F p ). 

Now the kernel of this map includes the ideal i C Z[X l5 . . . , X n ] as defined in section 
[2l hence this map factors 

r:B[X 1 ,...,X n ]—>B[xi,...,x n ]—> Hom(Z x F™, F p ) 

where B[x\, . . . , x n ] — B <gi Z[Xl, . . . , X n ]/i. Notice that the ideal j is also in the 

kernel (as r(Qf)(a) = (^) P mod p = (^) mod p = r(Qi)(a) ) hence the map 
factors again 

r : B[X U . . . , X n ] — )• B^, . . . , z„] — )• . . . , x n ] — )• Hom(Z x F^, F p ). 

Now it is not hard to check that this last map is injective (not surjective!), so 
S[x±, . . . , x n ] represents the part of Hom(Z x F" F p ) that we're interested in. 
Then, finally, we extend the map t to n variables: 

r : B[X U . . .,X n ] n — ► S[ Xl , . . .,x n ] n C Hom(Z x F^,F^). 

Note that in all equations above one can replace B by B m and S by S m . 



4.2 More general triangular groups 

If one has a ring K, then one can make the group B n (K) and B^(K) as described 
in section [21 But, it is possible to make slightly less intuitive groups: suppose that 
K\ Q K 2 C . . . C K n is a chain of rings. Then one can make the set 

{(Xi + gi , X 2 + g 2 ,...,X n + g n ) | gi e Ki[Xx, . . . , X^]} 

which becomes a subgroup of B°(iT). However, one can even make this work for 
more general subsets of K which are not necessarily subrings. 

Definition 4.2. Let if be a ring and let Wi a subgroup of {K\X\, . . . , +) 
such that 

Wi o {X x + Wx,X 2 + W 2 , . . . ,Xi + Wi) C Wi. 

Then define 

B(Wi, W 2 , . . . , W n ) := {(Xi + ^i,...,X n + y n )l^ e 
which is a subset of B n (Jf). 
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Lemma 4.3. B(Wi, W 2 , ■ ■ ■ , W n ) is a subgroup ofB n (K). 

Proof, (sketch) The fact that the identity is in B(W±, . . . ,W n ) follows from the 
fact that Wi is a subgroup and hence contains 0. A sketchy proof of the fact that it 
contains the inverse of an element (Xi + gi, . . . , X n + g n ): then (Xi — gi, X 2 , . . . , X n ) 
is also in the set, and composing it with this element yields the first coordinate is 
X\\ iterating this process one ends up at (Xi, . . . , X n ). The requirement "Wi o (Xi + 
Wi, X 2 + W 2 , ■ ■ ■ , Xi + Wi) C Wi" is exactly what is needed to have the set closed 
under composition: here one needs to check that gi(X 1 + hi, . . . , + G Wi 
for each ^ G W, hj G Wj. □ 

Since one has a group homomorphism B°(AT) — > Perm(A n ), there exists also 
a group homomorphism B(Wi, . . . , W n ) — > Perm(A n ). We study the special case 
that K is an F p -algebra such that r = r p for each r E K. (Given an F p -algebra, 
one can get such an algebra by modding out the kernel of the frobenius endomor- 
phism r — > r p ; one could also say that such an algebra is an ¥ p algebra with 
Frobenius automorphism being the identity.) We will consider the case of sub- 
section 14.11 Then the map B°(S f ) — ► Perm(S' n ) is a restriction of the map r : 
S[Xi, . . . , X n ] n — > S[xi, . . . , x n ] n — > Hom(S ,n , S n ) and thus it makes sense to write 
down B n (S), and we denote elements in this group like a := (xi + gi, . . . , x n + g n ) 
where g { G S[xi, . . . , x n ]. Thus, we can also define the subgroup 

B(Wi,...,W n )cB n (S) 

where W C S[xi, . . . , (Normally we should define this as W Q S[Xi, . . . , X^i], 

but the groups coincide modulo (Xf—Xi, . . . , X p —X n ) so this notation makes sense.) 

In this article there are two such groups that we consider: remember that we 
defined R m := ¥ p [xi,x 2 , ■ ■ ■ , x m ], Si := ¥ p [Q , . . . , where j is generated by 

the Qi — Qi, and note that SiRj = Si <S> Rj = Si[xi, . . . ,Xj]. We will consider 
B(SiRq, S 2 Ri, ■ ■ ■ , S n Rn-i) and the one mentioned in the next lemma. Both of 
them occur naturally in the next subsection. 

Lemma 4.4. J/W := Si-iRi-i+WpQ^i, then W°(zi+Wi, . . . ,Xi_i + W_i) C W- 
Hence, B(Wi, . . . , W n ) is a subgroup of B(SiRo, . . . , S n Rn-i) and of B n (S n ). 

Proof. Let g^ G W, i.e. g t = P{xi, . . . , Xi_i) + XQi-i where P G 5j_i-Rj_i. Let 
hj G Wj, then we need to prove that P{x\ + h±, . . . , + hi-i) + XQi = gi(xi + 
hi, ... , Xi-i+hi-i) G W. Now Xj + hj G SjRj-i C S' i _ 1 i2 i _ 1 , and since P G S^iRi^i 
we get P(xi + hi, . . . , Xi-i + h^i) G S^iRi^i and we are done. □ 

4.3 Exponents of triangular maps: Z-flows 

Over a field A of characteristic zero, given a strictly triangular polynomial map 
F, then it is always possible to give a formula for exponents F m of F, to be more 
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precise: there is a strictly triangular polynomial map Ft G GA n (K[T]) such that 
Fm = F m for each m G To give a simple (even linear) example: 

Example 4.5. Let F = (x + y + z,y + z,z), if F T := (x + T?/ + ±(T 2 + T)z, y + Tz, z), 
then i 7 ^ = F m for each n G N. 

However, if one picks .fT a field of characteristic two, and considers the same map 
F := (x + y + z, y + z, z), then one runs into trouble defining Ft, as it includes the 
polynomial \{T 2 + T). However, we can now use the previous subsection to solve 
this problem. Note that if oy G B n (S n ), then one can substitute a value m G Z for 
T (thus mapping Qi(T) to Qi(m) etc.) and one gets an element cr m G i3 n (F p ). 

Definition 4.6. Let <r G <B n (F p ). Suppose Ot G B n (S n ) is such that cr m = cr m for 
each m G Z. Then we define or as the Z-fiow of a. 

The wording Z-flow come from the analytic case: If F is a holomorphic map 
C n — > C n , then under some circumstances one can define a holomorphic map 
F T : C x C n — ► C n such that F a F b = F a+b for each a, b G C, F 1 = F and F = I. 
Then i 7 ^ is called a flow of F . 

Theorem 4.7. Lei tr G B n (F„). T/ien 

t/iere exists a Z-flow o~t G B(S\Rq, S2R1, ■ ■ ■ , S n R n ~i) of a, 
(2) and even ot G B(Wi, . . . , W n ) where Wi as in lemma \4^4 ■ 



Proof. We use induction to n. For n — 1, cr = {x\ + a) where a G F p , , and we can 
take <7t := (%x + To) G Xi + -Ro'S'o + F p Qo- 

Let a = (a, x n + p n ) G <B„(F P ). We know that we can find ot G B(W±, . . . , W n -i) 
such that cr m = [p m , x n + h m ) where h m G R n -i- Now pick H m G Z[x2, . . . , x n ] such 
that H m mod p = /i m . Define 

p n — 1 

Mi(T) := TT 

- LJ - 2 — 7 

and define G(T) := M Lf + M 1 H 1 + ... + Afp»_iflp»_i. Note that G(T) is of degree 
p n - 1 in T. Note that G(i) = H h and G(T) G Q[T] [xi, . . . ,x n }. Thus, if c(T) 
is one of the coefficients in Q[T], then c({0, 1, . . . ,p n — 1}) C Z. Using lemma 
13.21 we get that c(Z) C Z. Using proposition 13.71 we can replace each coefficient 
c(T) G Q[T] by an equivalent element in Z[Q , Q\, . . . , Q n -±] (as [\og p (p n — 1)] = 
n — 1), so we can assume that G T G Z[Q > • • • > Qn-i] [^lj • • • ? ^n]- Thus define qt G 
F p [<5o, • • • , Qn-i][xi, ■ ■ 1 Xn-i] — S n R n -i as the image of Gt, and now we can define 

a T := (a T ,x n + g T ) 



3 Morc precisely, without details, it is possible to give a locally nilpotent derivation D such that 
F m = cxp(mD), and then one can define Ft := cxp(TD). In this article, we take this as a fact, 
for details we refer to [5] chapter 2. 
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and thus o m = (a m , x n + g rn ) = (cr m , x n + h m ) = o~ m , which is what is required. 
Left to prove is that gr G W p Q n -\ + S n -iR n -i (where we only have gx G S n R n -i 



so far). Note that a p " (a,a n ) = (a, a n + (— l) n ~ 1 a) where a is the coefficient 
of (xi ■ ■ ■ x n _i) p " 1 in x n + g n (see theorem 12.31) . This means that a m = (x\ + 
(— l) n ~ 1 a, x 2 , . . . , x n ) if p n ~ x divides m. Write A = a(— l)™" 1 G F p , then g mp n-i = 
mX. Now define /iy := gT — Qn-i(T)X. Then = 0, and thus /i^ does not depend 
on Q n -i (which has order p n ). Thus, h T G S n -\R n -i and gx G S , n _ii? n _i+F p (5n-i = 
W n . □ 

It might be that this theorem can be improved, in the sense that the Wi can be 
chosen smaller. This comes down to the following question: 

Question 4.8. Find W ly . . . , W n such that 

B(W U W 2 ,..., W n ) = (a T \ae B n (¥ p )} . 

However, the below version is what is needed in the next section (as it is more 
efficient). We denote t := Q , thus W p [t] := ¥ P [T]/(T P - T). 

Theorem 4.9. Let a E B n (¥ p ). Then there exist 

a i>T G B(¥ p t, R i+1 [t], R i+2 [t], R n -i[t}) C B n (¥ p [t}) 

for < % < n — 1 such that a p * m = a^ m for each < m < p — 1 . 

Proof. Lemma [4.101 gives the case i = 0. Defining r := a p \ then r G B n _j(F p ), so 
we can apply lemma H. 101 to r to find t^t! now define ct^t := t~o,t, and o" p * m = r m = 
T o,m = r i,m for each < m < p — 1. □ 

Lemma 4.10. Lei <r £ B n _i(Ri). Then there exists 

a i>T G B(F p t, i?i + i[t], i? i+2 [t], . . . , i2„„i[t]) 
such that a m = Oi^ m for each < m < p — 1 . 

Proof. Let M<(t) := 1^ ( ',,,H- Then define = S M «/' !t is now clear 
that o"o,t ^ ^n(F p [i]), one only needs to see that the first component is of the form 
x\ + tX for some A G F p . But since the first component of a is x\ + A for some A, 
and thus a m has + mX as first component, this is exactly the case. □ 



5 Efficiently exponentiating maximal orbit trian- 
gular maps 

5.1 Basic idea 

In some applications (the next secion is an example) it might be necessary to evaluate 
a a (v) for a given a G B n (¥ p ) of maximal orbit, and a £ Z, v G F™. Here we explain 
how to do this most efficiently, with respect to computation and storage space. 
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First, we find if and D as given in theorem 12.141 thus a = DipAif~ 1 D~ 1 . First, 
note that because of remark [2.151 it is trivial to compute A a (v) for any given v G 
Fp, a G Z: this part of the computation is negligible. We will consider any addition 
to be negligible anyway, and simply count the number of multiplications in F p are 
needed. Hence, the evaluation a a {v) needs 

• evaluations D(v), D~ l {y), 

• evaluations <p(v), ip~ l {v). 

The storage of if does not immediately mean that ip" 1 is stored (or efficiently 
computable). However, the following representation solves this: 

Definition 5.1. Write (x — i + gi) for the map (xi, . . . , Xi-i,Xi + gi, . . . , x n ). 
Its inverse is (as can be easily checked) (xi — gi). 

Note that if <f = (xi + gi, . . . , x n + g n ) then <p = (xi + gi)(x 2 + g-i) ■ ■ ■ (x n + g n )- 
Hence, ip~ l = (x n — g n )(x n -i — g n -i) ■ • • (xi — gi)- Thus, evaluation of f~ l {v) is of 
the same complexity as f(v), and it is not necessary to store anything extra. 

5.2 Storage size 

Storage size of a map a is bounded by the number of different elements in B n (F p ) 
of maximal orbit. Approximately, this means (see lemma ETJ part (vi) ) that there 
are ^£^- coefficients necessary. 

If we want to store the useful description above, then one stores D, if and A, 
which is approximately double of that, i.e. we have to store approximately < 2 2 ^- 
coefficients in ¥ p . 

5.3 Efficiency 

We need to determine how many multiplications are necessary. Note that the below 
basic lemma can probably be improved (see for example [I]). 

Lemma 5.2. Let f G F p [xi, . . . ,xj.] where k > 1 and deg x .(f) < (p — 1) arbitrary. 
Then the expected amount of multiplications to evaluate f is £[k] := p k " 1 . 

Proof. We ignore the one-time computations necessary to evaluate x™ for each m < 
log 2 (p). A polynomial / = XX=o f iX k wn ere /, G F p [xi, . . . , x^-i] so we need to 
evaluate the /j and for all but /o we need to multiply them by x\. This means 
that £ [k] — p£ [k — 1] — 1. Since S[l] = 0, this recursive formula comes down to 
£[k] = p k ~ l — 1. We ignore the "-1" as we're rounding off some values anyway. □ 

Lemma 5.3. If 'if G B n (F p ), then evaluation if(X) for some A G F^ takes approxi- 
mately p _~ 1 multiplications. 
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Proof. If a = (xi + gi, . . . , x n + g n ) where gi G Ri-i, then evaluation of a means 
evaluationg the g^. By lemma [5T2| evaluation of g^ (i > 2) costs p % ~ 2 multiplications. 
Thus, we have possibly 1 +p + p 2 + . . . +p n ~ 2 = p _~ 1 multiplications that have to 
be done. □ 

Remark: If p = 2, then multiplication is of the same complexity as addition, 
so the author suspects that the above focus on "amount of multiplications" may be 
misleading. Nevertheless, we expect that especially the p = 2 case is very efficient 
and can be very useful in applications. 



6 A symmetric key cryptographic application: Diffie- 
Hellmann session- key exchange. 

6.1 Introduction 

In cryptography, it is often desireable to not use a secret key continuously, but only 
use the secret key to make session keys. If one session key is broken, then the system 
is not completely (or completely not) broken, except for that session. The generic 
protocol (Diffie-Hellmann session key exchange, see [15] p. 513 or [5] p. 145 protocol 
5.2) has the following form: 

• Alice and Bob share a secret key S, and have a set of parametrized maps <p a 
which commute, 4> a 4>b = (fiab- 

• Alice chooses a random value a, and Bob chooses a random value b. 

• Alice publicly sends M a := (j) a (S), Bob publicly sends M& := <fib(S). 

• Alee computes K := <f) a (Mb), Bob computes K := <f>i,(M a ) and the session key 
K is established. 

In almost all settings the <p a is iteration of a map, i.e. there is a map <fi and cj) a = 
(f> a ; commutativity of all a , 4>b is then automatic. (An exception would be Chebyshev 
polynomials, for example. Then a is the a-th Chebyshev polynomial.) The most 
common example is in a discrete log session: then <p a is simply exponentiation (and 
<fi is multiplication by the base value), i.e. 4> a {h) = h a . In this case, there is only one 
map <p which is publicly available. In case there are more maps <fi available, then 
the choice of map is part of the secret key. The most extreme case is when can be 
any permutation (a not very efficient system, as the secret key will be huge). 

Any such system needs to satisfy some basic requirements: 

• Preferrably, the orbit {<fi a (S) \ a G (set of allowed values for a)} should be 
the complete set of possible session keys (or in the very least the orbits of 
should be large). For if not, then an eavesdropper hearing M a , Mf, might learn 
in which orbit of 5* is, which can be undesireable. 
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• If one or more session keys are broken, then an attacker knows some triples 
(<f> a {S) , 4>b(S) , (j)ab(S)) . It should be not possible to reconstruct S from such 
triples (or only give away very little) - this can be under the condition of a 
certain threshold of amount of broken keys. 

• It should be feasible to compute (j) a (S) (and it should take approximately 
equally long for each a). 

In the discrete log setting, the security is based on infeasiblility of the discrete log 
problem: It is then assumed that if s is the secret key, then sending s a , s b gives no 
information on s, and if a session key k = s ab is broken, then it is assumed that it is 
an infeasible problem to find s given M a = s, M& = s b , and K = s ab . Note that if one 
session key is broken, then an attacker does have all information on the secret key s 
(as there is only one solution (s, a, b) of s a = M a , s b = M&, s ab = K). This makes this 
system not desireable for certain applications, like low-power applications where the 
discrete log setting has to be small (and hence breakable) in order to be computable 
for the low-power device. Another case is when the communication involves data 
that can be sensitive for many years (like medical or governmental data), where one 
should assume that in the future infeasible computations become feasible. 

It is possible to provide alternatives to the discrete log setting, but it is not so 
easy: the most difficult thing is that one needs commuting maps <j) a for which it is 
easy to compute a (s), and where 4> a (s) gives away no information. The work done 
in the previous sections provides the tools for exactly such a method: here, <p a will 
be a conjugation of a a for some a £ B n (W p ). 

6.2 System description 

Setup phase: Alice and Bob (or a TTP) choose n £ N*, p a prime, choose some 
v £ F™, pick a random a £ B n (F p ) of maximal orbit and of standard form, and 
compute ip, D as in theorem 12.141 so that a = D^ip^AipD. 

Additionally, a bijection oj : F£ — y will be chosen@ Alice and Bob store 
(u,(f, A,w := (pDu(v)) and additionally w" 1 , if necessary. (Alice and Bob store 
<pDu)(v) in stead of v, as v itself is not needed in computations). 

The map (p = oj^auj, and (p a = u~ 1 a a uj. 

Communication phase: Alice and Bob will now establish a session key. 

• Alice chooses a random integer value a £ [0,p n — 1] and Bob chooses a random 
integer value b £ [0,p n — 1]. 

4 We don't elaborate on what bijections ui may be chosen - a suggestion is to take a triangular 
polynomial maps, but conjugated with (x n , ■ ■ ■ , x\), i.e. having variables reversed. Also, depending 
on the possible choices for uj, one could take v = in stead of random. 
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• Alice publicly sends M a := u 1 D 1 (p 1 A a (w), Bob publicly sends M& : = 
uj- 1 D- x ip- 1 \ b (w). 

• Alice computes K := oj~ 1 D~ 1 Lp~ 1 A a (pDu)Mt > , Bob computes 

K := w^D-V^AfyDwMa. if is the established session key w-^ZrV^A"^^). 

6.3 Security 

In order to make computations on security, we will assume that u is the identity 
map - hence the below security computations are only a worst-case bound. 

Disclosed information to an eavesdropper: such a person will only hear 
while not knowing a,b,v and a. Since a is of maximal orbit, a a [v) can 
be any value in F™, and the same for o b [v). This hence gives zero information on v, 
nor on a, and there is no information even on a a+b (v ). 

Breaking a session key: If an attacker breaks a session key K = a a+b (v), 
how much does this reveal from a and v7 So now an attacker hears a triple 
(a a (v ), a b (v ), a a+b (v )). For the attacker, cr a (w) is indistinguishable from a random 
value w since a is random (and unknown). Hence, such a triple can be seen as a 
triple (w, cr b (v), a b {w)). 

Claim: The information learned by a triple (u, d b (v), (J b {u)) is comparable (or less) 
to the information learned by a pair (u, cr{u)). 

We will not rigidly prove the claim (as we're unable to!), but indicate why it is 
reasonable to assume the claim: first, notice that the triple (u,a b (v),a b (u)) has 
an additional unknown, namely b. So, intuitively speaking, having three values is 
equivalent to having two values with one free variable less. Also, notice that a b (v) 
itself sounds to the eavesdropper as a random variable (as b is unknown), and that 
the pair (u,a b (u)) gives less information than a pair (u,a(u)). 

Lemma 12.161 discusses exactly the information revealed by (u,a(u)): for m > 1 
such values, the last [log p (m)] + 1 coordinates of a (and hence of cx^r and v) are 
disclosed while the others are completely unknown. (Notice that if u is not the 
identity, this disclosure is spread out over all the coordinate values in a sort of un- 
clear way, depending on the complicatedness of u.) If one wants to be absolutely 
sure that the system has a degree of forward security, then one could decide to use 
only the first so-many coordinate values of a a+b (v). For example, ignoring the last 
coordinate value gives the system p — 1-forward security. 

6.4 Storage size 

Stored is (u, cp, A, w). Of these, <p and A are described in section 15721 which means 
^5j- coefficients in ¥ p for each. Storage size for u depends on which maps are 
allowed, our suggestion of using "lower-triangular" permutations amounts to another 
share of that size. 
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6.5 Efficiency 

The computational tasks Alice has to do, are to do evaluations ou(u), tp{u), D(u), 
and A(u) for u G F" Evaluations A(tt) are trivial by remark T2.151 as are evalu- 
ations D(u). If we assume u is a "lower triangular permutation" this amounts to 
evaluations of order as described in lemma 15.31 i- e - P p-i" 1 multiplications. In each 
session-key establishment each party has to do these evaluations something like 6 
times (a fixed finite number of times). 

7 Future research 

A topic that requires further research is the role of the conjugation map u in the 
last section: how should it be chosen such that it hussies up a a well enough? We 
proposed triangular maps in the other order of variables, but is this enough? Or is 
it enough to simply use a linear or affine map? 

Acknowledgements: The author would like to thank some people for dis- 
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